Recently had the pleasure of upgrading a customers hybrid configuration to using Hybrid Agents, with the main reason being less complicated hybrid design.
It did fail rather early on Install Hybrid Agent, right after entering my credentials for Azure AD with this error: Setup terminated with an Exit Code 1603.
We could see further detailed information in Event Viewer:
Connector registration failed: Make sure you are a Global Administrator of your Active Directory to register the Connector. Error: “The registration request was denied. Details: User is unauthorized.”
We allways try to use least privileged access principals, but Exchange Online Administrator wasn’t enough. Doesn’t mean you need to be Global Administrator necessary, this being an Azure Application Proxy registration, means it could be enough with Application Administrator.